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REMARKS 

In view of the following discussion, the Applicants submit that none of the claims 
now pending in the application is directed to non-statutory subject matter under 35 
U.S.C. §101, anticipated under the provisions of 35 U.S.C. §102, or obvious under the 
provisions of 35 U.S.C. §103. Thus, the Applicants believe that all of these claims are 
in allowable form. 

I. REJECTION OF CLAIMS 10, 12, AND 13 UNDER 35 U.S.C. 5101 

Claims 10, 12, and 13 stand rejected as being allegedly directed to non-statutory 
subject matter. Specifically, the Examiner alleges that "the applicant has not shown that 
the computer readable medium [recited in claims 10, 12, and 13] is hardware" (Final 
Office Action, Page 2). The Applicants respectfully traverse the rejection. Moreover, 
the Applicants note that claim 13 was cancelled without prejudice in a previous 
amendment; accordingly, the rejection of claim 13 is moot. 

Specifically, the Applicants respectfully submit that the claims 10 and 12 were 
amended in a previous response to recite a "computer readable storage medium" 
(emphasis added). "In this context, functional descriptive material' consists of data 
structures and computer programs which impart functionality when employed as a 
computer component." (MPEP 2106.01) "When functional descriptive material is 
recorded on some computer-readable medium, it becomes structurally and functionally 
interrelated to the medium and will be statutory in most cases since use of technology 
permits the function of the descriptive material to be realized." (MPEP 2106.01) 

Since the claimed executable program is contained on a computer readable 
storage medium, the executable program is "structurally and functionally interrelated" to 
the computer readable storage medium, and, as such, is statutory in accordance with 
MPEP 2106.01. Therefore, the Applicants respectfully submit that claims 10 and 12 
fully satisfy the requirements of 35 U.S.C. §101. Accordingly, the Applicants 
respectfully request that the rejection under 35 U.S.C. §101 be withdrawn. 

II. REJECTION OF CLAIMS 1-2. 4-5, AND 10-13 UNDER 35 U.S.C. S 102 

Claims 1-2, 4-5, and 10-13 stand rejected as being anticipated by the Purtell et 
al. patent (U.S. 6,950,947, issued September 27, 2005, hereinafter "Purtell"). Claim 13 
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has been cancelled without prejudice, as discussed above. Applicants respectfully 
traverse the remaining rejections. 

Particularly, the Examiner's attention is directed to the fact that Purtell fails to 
disclose or suggest a method for correlating sensors in an intrusion detection system by 
adjusting a belief state of a first sensor based on a belief state of a second sensor, 
where the adjustment improves the sensitivity of the first sensor to suspicious activity 
(e.g., attempted communications with a nonexistent services or resources) and/or 
reduces alarms generated by erroneous transactions , as claimed in Applicants' 
independent claims 1 f 4, 5, and 10 - 12. 

By contrast, Purtell discloses a set of peer firewalls/proxv servers that share 
information about transmission control protocol (TCP) control state in order to enhance 
the efficiency of TCP throughput in a network. Purtell says nothing about the need to 
monitor the network for suspected intrusions, e.g., by using an intrusion detection 
system , as claimed by the Applicants in independent claims 1, 4, 5, and 10-12. A 
firewall, which filters data before it can reach the network (See, e.g., column 1, lines 33- 
41 of Purtell: "A firewall typically filters network packets received from the external 
network to determine whether to forward them to their destination on the internal 
network ." emphasis added), is not the same as an intrusion detection system, which 
identifies potential intrusions based on analysis of data that has already entered the 
network . Thus, a firewall may be considered an intrusion prevention system, but not an 
intrusion detection system. 

The Examiner's statements in the Final Office Action actually support the 
Applicants 1 interpretation of Purtell with respect to the claimed invention. For instance, 
the Examiner states on Page 3 of the Final Office Action that "Purtell discloses 
firewalls." The Examiner then goes on to state that "a firewall is [a] designed to prevent 
unauthorized access to and from a private network" {emphasis added) and that 
"[fjirewalls are frequently used to prevent unauthorized Internet users from accessing 
private networks connected to the Internet" (emphasis added). In other words, the 
firewalls taught by Purtell are intended to stop potential intrusions before thev actually 
occur . As discussed above, the claimed invention is directed to the correlation of 
sensors in an intrusion detection system — i.e., a system that detects potential intrusions 
that have actually occurred . 
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Moreover, as discussed above, Purtell is directed to a method for improving 
throughput between firewalls and servers by sharing TCP connection state data. For 
instance, by sharing information concerning congestion, round trip time, and other state 
components affecting packet transmission to/from a particular server, a connection 
between a firewall and the server may be initiated in a manner that maximizes data 
transfer speed (See, e.g., Purtell, column 8, lines 44-53). Purtell fails to disclose or 
suggest detecting suspicious activity in a network or generating alarms (false or 
otherwise) in response to such detections (for example as recited in independent claims 
4 and 11). In fact, the words "suspicious" and "alarm" do not even appear in the 
disclosure of Purtell. The Examiner has failed to address this fact in the Final Office 
Action. 

Thus, Purtell fails to disclose or suggest a method for correlating sensors in an 
intrusion detection system by adjusting a belief state of a first sensor based on a belief 
state of a second sensor, where the adjustment improves the sensitivity of the first 
sensor to suspicious activity (e.g. attempted communications with a nonexistent 
services or resources) and/or reduces alarms generated by erroneous transactions , as 
claimed in Applicants' independent claims 1, 4, 5, and 10 - 12. Specifically, Applicants 1 
claims 1,4, 5, and 10-12 positively recite: 



1. A method for correlating a first sensor to a second sensor i n an intrusion 
detection system , the first sensor and the second sensor each maintaining belief 
regarding a resource or service monitored by the intrusion detection system, the method 
comprising the steps of: 

(a) transmitting to the first sensor information about a belief state of the 
second sensor, said belief state of the second sensor indicating a state of at least one 
system resource or service directly monitored by the second sensor; and 

(b) adjusting a belief state of the first sensor, said belief state of the first 
sensor indicating a state of at least one system resource or service directly monitored 
by the first sensor, the adjusting based at least in part on the belief state of the second 
sensor, so that a sensitivity of the first sensor to suspicious activity in the intrusion 
detection system is improved . (Emphasis added) 



4. A method for reducing false alarms generated by an intrusion detection system 
when a monitored resource is degraded or compromised, the intrusion detection system 
having a first sensor and a second sensor each maintaining belief regarding a state of a 
resource monitored by the intrusion detection system, the method comprising the steps 
of: 
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(a) transmitting to the first sensor all or part of a belief of the second sensor 
regarding an apparent normal, degraded or compromised state of a resource directly 
monitored by the second sensor; and 

(b) adjusting a belief state of the first sensor, said belief state of the first 
sensor indicating an apparent normal, degraded or compromised state of a resource 
directly monitored by the first sensor, so that an erroneous transaction with the 
degraded or compromised resource does not generate an alarm in the intrusion 
detection system . (Emphasis added) 



5. A method for enhancing a sensitivity of an intrusion detection system that 
monitors a plurality of computer system resources, the intrusion detection system 
having a first sensor and a second sensor each maintaining belief regarding a service 
monitored by the intrusion detection system, the method comprising the steps of: 

(a) transmitting to the first sensor all or part of a belief state of the second 
sensor regarding an existence or validity of services supported on computer system 
resources directly monitored by the second sensor; and 

(b) adjusting a belief state of the first sensor, said belief state of the first 
sensor indicating an existence or validity of services supported on computer system 
resources directly monitored by the first sensor, so that an attempted communication 
with a nonexistent system service or resource appears suspicious to the intrusion 
detection system . (Emphasis added) 



10. A computer readable storage medium containing an executable program for 
correlating a first sensor to a second sensor in an intrusion detection system , the first 
sensor and the second sensor each maintaining belief regarding a resource or service 
monitored by the intrusion detection system, where the program performs the steps of: 

(a) transmitting to the first sensor information about a belief state of the 
second sensor, said belief state of the second sensor indicating a state of at least one 
system resource or service directly monitored by the second sensor; and 

(b) adjusting a belief state of the first sensor, said belief state of the first 
sensor indicating a state of at least one system resource or service directly monitored 
by the first sensor, the adjusting based at least in part on the belief state of the second 
sensor, so that a sensitivity of the first sensor to suspicious activity in the intrusion 
detection system is improved . (Emphasis added) 

11. A computer readable storage medium containing an executable program for 
reducing false alarms generated by an intrusion detection system when a monitored 
resource is degraded or compromised, the intrusion detection system having a first 
sensor and a second sensor each maintaining belief regarding a state of a resource 
monitored by the intrusion detection system, where the program performs the steps of: 

(a) transmitting to the first sensor all or part of a belief of the second sensor 
regarding an apparent normal, degraded or compromised state of a resource directly 
monitored by the second sensor; and 

(b) adjusting a belief state of the first sensor, said belief state of the first 
sensor indicating an apparent normal, degraded or compromised state of a resource 
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directly monitored by the first sensor, so that an erroneous transaction with the 
degraded or compromised resource does not generate an alarm in the intrusion 
detection system. (Emphasis added) 

12. A computer readable storage medium containing an executable program for 
enhancing a sensitivity of an intrusion detection system that monitors a plurality of 
computer system resources, the intrusion detection system having a first sensor and a 
second sensor each maintaining belief regarding a service monitored by the intrusion 
detection system, where the program performs the steps of: 

(a) transmitting to the first sensor all or part of a belief state of the second 
sensor regarding an existence or validity of services supported on computer system 
resources directly monitored by the second sensor; and 

(b) adjusting a belief state of the first sensor, said belief state of the first 
sensor indicating an existence or validity of services supported on computer system 
resources directly monitored by the first sensor, so that an attempted communication 
with a nonexistent system service or resource appears suspicious to the intrusion 
detection system . (Emphasis added) 



As discussed above, Purtell fails to disclose or suggest a method for correlating 
sensors in an intrusion detection system by adjusting a belief state of a first sensor 
based on a belief state of a second sensor, where the adjustment improves the 
sensitivity of the first sensor to suspicious activity (e.g., attempted communications with 
a nonexistent services or resources) and/or reduces alarms generated by erroneous 
transactions , as claimed in Applicants' independent claims 1, 4, 5, and 10 - 12. 
Therefore, the Applicants submit that independent claims 1, 4, 5, and 10-12 fully 
satisfy the requirements of 35 U.S.C. §102 and are patentable thereunder. 

Dependent claim 2 depends from claim 1 and recites additional features 
therefore. As such, and for at least the same reasons set forth above, the Applicants 
submit that claim 2 is not anticipated by the teachings of Purtell. Moreover, Purtell fails 
to teach or suggest the method of claim 1, wherein the first and second sensors are 
different types of sensors , as recited by Applicants' claim 2. By contrast, Purtell teaches 
a system in which devices of the same type (i.e., firewalls) share data (TCP control 
blocks). There is no suggestion anywhere in Purtell that the shared data is provided to 
any devices other than the firewalls. The portion of Purtell that the Examiner cites to 
teach the feature of first and second sensors that are different types of sensors at best 
teaches that the firewalls may be proxy servers, which are merely a specific type of 
firewall (See, e.g., Purtell, column 1, lines 41-43: U A common type of firewall is a proxy 
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server...," emphasis added). Moreover, Purtell suggests that in a preferred 
embodiment, all of the firewalls are proxy servers ("In a preferred embodiment, the 
firewalls are configured as proxy servers," Purtell, column 3. lines 33-34). Nowhere in 
Purtell is it suggested that the firewalls comprise a mix of firewalls and other devices, or 
a mix of proxy servers and other devices. Therefore, the Applicants submit that 
dependent claim 2 also fully satisfies the requirements of 35 U.S.C. §102 and is 
patentable thereunder. 

HI. REJECTION OF CLAIM 3 UNDER 35 U.S.C. S 103 

Claim 3 stands rejected as being unpatentable over Purtell in view of the Timm 
patent (U.S. 5,440,498, hereinafter "Timm"). The Applicants respectfully traverse the 
rejection. 

As discussed above, Purtell does not teach or even suggest a method for 
correlating sensors in an intrusion detection system by adjusting a belief state of a first 
sensor based on a belief state of a second sensor, where the adjustment improves the 
sensitivity of the first sensor to suspicious activity (e.g.. attempted communications with 
a nonexistent services or resources) and/or reduces alarms generated by erroneous 
transactions , as claimed in Applicants' independent claim 1, from which claim 3 
depends. Applicants' claim 1 has been recited above. Timm does not bridge this gap in 
the teachings of Purtell. Purtell and Timm, singularly or in any permissible combination, 
thus fail to teach, suggest all of the features of Applicants' independent claim 1. 
Therefore, the Applicants submit that independent claim 1 fully satisfies the 
requirements of 35 U.S.C. §103 and is patentable thereunder. 

Dependent claim 3 depends from claim 1 and recites additional features 
therefore. As such, and for at least the same reasons set forth above, the Applicants 
submit that claim 3 is not made obvious by the teachings of Purtell in view of Timm. 
Therefore, the Applicants submit that dependent claim 3 also fully satisfies the 
requirements of 35 U.S.C. §103 and is patentable thereunder. 

IV. CONCLUSION 

Thus, the Applicants submit that all of the presented claims fully satisfy the 
requirements of 35 U.S.C. §101, 35 U.S.C. §102 and 35 U.S.C. §103. Consequently, 
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the Applicants believe that all of these claims are presently in condition for allowance. 
Accordingly, both reconsideration of this application and its swift passage to issue are 
earnestly solicited. 

If, however, the Examiner believes that there are any unresolved issues requiring 
the maintenance of the final action in any of the claims now pending in the application, it 
is requested that the Examiner telephone Mr. Kin-Wah Tona. Esq. at (732) 530-9404 so 
that appropriate arrangements can be made for resolving such issues as expeditiously 
as possible. 



Respectfully submitted, 



October 13.2008 
Date 




Kin-Wah Tong, Attorney 
Reg. No. 39,400 
(732) 530-9404 



Patterson & Sheridan, LLP 
595 Shrewsbury Avenue 
Shrewsbury, New Jersey 07702 
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